Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/21/2013
11:53 AM
Martin Lee
Martin Lee
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Is Your DNS Server A Weapon?

As we improve our defenses against distributed-denial-of-service (DDoS) attacks, the bad guys adapt and step up their game, too. Here's how to use your domain name servers to ward off hackers.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Distributed denial of service (DDoS) attackers aim to either overload the CPU or clog networks with irrelevant traffic. These attackers often control large numbers of computers that are part of botnets and instruct them to make repeated requests to a website, overloading networks and processing power. However, security teams can fight back by blocking connections from botnet IP addresses to protect bandwidth and ignoring repeat requests to the same URL to protect processing power.

As a result, to conduct a successful denial of service attack, attackers must amplify the effect of the resources under their control. One way that can happen: DNS amplification.

DNS requests are an ideal mechanism by which attackers can increase the amount of traffic thrown at their victims, while hiding the origin of the attack. Many DNS servers on the Internet are configured as "open resolvers" that accept and respond to DNS queries from anywhere on the Internet. Sending very small requests to these servers can result in large replies that can be directed toward a victim's systems.

For example, the short query to retrieve DNS information for the domain InformationWeek.com:

dig ANY informationweek.com

Results in a large amount of information being returned:

;; ANSWER SECTION:

informationweek.com. 11334 IN NS ns2.ubm-us.net.

informationweek.com. 11334 IN NS ns1.ubm-us.net.

informationweek.com. 11334 IN NS ns3.ubm-us.net.

informationweek.com. 11334 IN SOA ns1.ubm-us.net. dnsadmin.ubm-us.net. 201310100 1800 900 1209600 1800

informationweek.com. 11334 IN A 192.155.48.18

informationweek.com. 11334 IN AAAA 2620:103::192:155:48:18

informationweek.com. 11334 IN MX 10 mailhost.ubm-us.net.

informationweek.com. 11334 IN TXT "v=spf1 mx include:spf.ubm-us.net -all"

informationweek.com. 11334 IN TXT "google-site-verification=doCdAIQ4FJ3yo-047WoLHDdjRLjR_A9qHK-PIIlYLmU"

;; Query time: 0 msec

;; SERVER: 10.30.40.15#53(10.30.40.15)

;; WHEN: Thu Oct 17 03:31:00 2013

;; MSG SIZE rcvd: 346

In this case, sending a 45-byte DNS request packet results in 346 bytes of DNS information being returned, amplifying the amount of returned data compared with the size of the request by a factor of 7.7.

Including other information in DNS records, such as cryptographic keys to comply with DNSSEC or DKIM standards, enlarges the response from the DNS server. A query for any DNS information for the domain whitehouse.gov results in 2877 bytes of information being returned, an amplification factor of 71.9 compared with the request.

DNS queries are sent as UDP packets, meaning that the source of the request is not verified by a handshake in the same way as TCP, allowing the origin to be falsified. Members of a botnet can spoof DNS requests to appear to have come from a victim's IP address, causing DNS replies to be sent to that address rather than to the address of the request originator. Hence, a small botnet can cause a large amount of data to be sent to the victim's network; a large botnet can deluge a victim with an enormous amount of data.

In essence, the attack is similar to using many Post-It notes to request entire Yellow Pages directories to be sent to a mailing address, rendering victims unable to perform their usual activities due to the sheer volume of delivered directories.

Secure Your DNS

Amplified DNS-based denial of service attacks are particularly difficult to defend against, because such attacks consist of large volumes of legitimate data sent from legitimate sources. These attacks are possible due to the large number of DNS servers configured to be open resolvers, responding to DNS requests without regard to the origin of the request.

The Open Resolver Project has identified 28 million DNS servers that pose a significant threat of being used in such an attack. Companies should ensure that their DNS servers are not among those capable of contributing to a denial of service attack by taking the following steps:

-- Limit recursion to only authorized clients, such as trusted networks and known DNS servers.

-- Identify and reject packets with spoofed IP addresses by verifying the IP address of their sources.

-- Limit the response rate of DNS servers so that they can't flood networks.

-- Limit the size of outbound DNS messages so that suspiciously large DNS replies are blocked.

Further, check the status of your DNS servers by scanning them from a remote network with nmap, replacing x.x.x.x with the IP address of your server:

nmap -sU -p 53 -P0 --script "dns-recursion" x.x.x.x

This uses the dns-recursion script included in default nmap installations to send UDP packets to port 53 and report if the ability to perform recursive queries is detected. A reply containing the phrase:

"Recursion appears to be enabled"

denotes that a server might be able to be abused

Ready, Set, Defend

Consider the ramifications of such an attack against your systems now, and prepare a defense-in-depth strategy. Distribute highly visible public-facing systems, such as websites, across the world via a content delivery network with enough bandwidth to withstand attack. Work with your providers to ensure that attacks against corporate networks are detected and blocked as far upstream as possible. It is also vital to detect traffic anomalies as soon as possible -- attacks might be preceded by transient peaks in traffic as attackers check that their systems are operational before launching a full assault. Automated detection of anomalous traffic can alert operators to take action and execute a prepared remediation plan.

Attackers are adept at exploiting Internet protocols that were designed for a benign world. To defend against these attacks, do your best to harden your systems. And when attacks occur, ensure that you're able to call on more resources and expertise than are available to the attackers.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Chuck Brooks
50%
50%
Chuck Brooks,
User Rank: Apprentice
10/28/2013 | 11:38:21 PM
re: Is Your DNS Server A Weapon?
Distributed denial of service (DDoS) attacks are becoming increasingly focused and sophisticated. Many CISOs at corporations see such attacks as a top threat. Martin's suggestion of blocking connections from botnet IP addresses to protect bandwidth and ignoring repeat requests to the same URL to protect processing power is a good one. Future development of automated enterprise encryption may also become a solution to hardening systems.
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4811
PUBLISHED: 2021-05-14
IBM Cloud Pak for Security (CP4S) 1.4.0.0, 1.5.0.0, 1.5.0.1, 1.6.0.0, and 1.6.0.1 could allow a privileged user to inject inject malicious data using a specially crafted HTTP request due to improper input validation.
CVE-2020-4985
PUBLISHED: 2021-05-14
IBM Planning Analytics Local 2.0 could allow an attacker to obtain sensitive information due to accepting body parameters in a query. IBM X-Force ID: 192642.
CVE-2021-20391
PUBLISHED: 2021-05-14
IBM QRadar User Behavior Analytics 1.0.0 through 4.1.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 195999.
CVE-2021-20392
PUBLISHED: 2021-05-14
IBM QRadar User Behavior Analytics 1.0.0 through 4.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2021-20393
PUBLISHED: 2021-05-14
IBM QRadar User Behavior Analytics 1.0.0 through 4.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 196001.